security.acme: add TLS ALPN challenge

nobodyinperson · nobodyinperson · commit dd7670fe4dd1 · 2025-05-07T10:37:14.000+02:00
This commit adds the `tlsMode`, `tlsPort` and `conflictingServices`
options to `services.acme.[...]` to allow using it even if port 80 is
blocked and DNS access is impossible. Integration with nginx's
enableACME=true is adjusted accordingly.
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
@@ -274,6 +274,12 @@ let
             "--http.port"
             data.listenHTTP
           ]
+        else if data.tlsMode then
+          [
+            "--tls"
+            "--tls.port"
+            ":${toString data.tlsPort}"
+          ]
         else
           [
             "--http"
@@ -404,6 +410,13 @@ let
 
       renewService = lockfileName: {
         description = "Renew ACME certificate for ${cert}";
+        # stop conflicting services while certs are renewed
+        conflicts = data.conflictingServices;
+        # start conflicting services again after cert renewal
+        # This causes systemd to issue a warning 'multiple trigger source candidates for exit status propagation',
+        # but this is more robust and not prone to race conditions as invoking systemctl in ExecStartPost/ExecStopPost
+        onSuccess = data.conflictingServices;
+        onFailure = data.conflictingServices;
         after = [
           "network.target"
           "network-online.target"
@@ -471,13 +484,17 @@ let
                 fi
               '');
           }
-          //
-            lib.optionalAttrs
-              (data.listenHTTP != null && lib.toInt (lib.last (lib.splitString ":" data.listenHTTP)) < 1024)
-              {
-                CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-                AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
-              };
+          // (
+            let
+              needsToOpenPrivilegedPort =
+                (data.listenHTTP != null && lib.toInt (lib.last (lib.splitString ":" data.listenHTTP)) < 1024)
+                || (data.tlsMode && data.tlsPort < 1024);
+            in
+            lib.optionalAttrs needsToOpenPrivilegedPort {
+              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+            }
+          );
 
         # Working directory will be /tmp
         script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''
@@ -670,6 +687,19 @@ let
           description = "Group running the ACME client.";
         };
 
+        conflictingServices = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          inherit (defaultAndText "conflictingServices" [ ]) default defaultText;
+          description = ''
+            List of conflicting systemd services that should be temporarily stopped
+            while renewing/checking certificates. This might be necessary with `tlsMode=true`
+            when a webserver occupies the `tlsPort`.
+          '';
+          example = ''
+            [ "nginx.service" ] # stops nginx temporarily while renewing/checking certificates
+          '';
+        };
+
         reloadServices = lib.mkOption {
           type = lib.types.listOf lib.types.str;
           inherit (defaultAndText "reloadServices" [ ]) default defaultText;
@@ -733,6 +763,18 @@ let
           '';
         };
 
+        tlsMode = lib.mkOption {
+          type = lib.types.bool;
+          inherit (defaultAndText "tlsMode" false) default defaultText;
+          description = "Use TLS challenge instead of HTTP.";
+        };
+
+        tlsPort = lib.mkOption {
+          type = lib.types.port;
+          inherit (defaultAndText "tlsPort" 443) default defaultText;
+          description = "Port to use for TLS challenge.";
+        };
+
         environmentFile = lib.mkOption {
           type = lib.types.nullOr lib.types.path;
           inherit (defaultAndText "environmentFile" null) default defaultText;
@@ -1090,6 +1132,7 @@ in
                     webroot
                     listenHTTP
                     s3Bucket
+                    tlsMode
                     ;
                 };
               in
@@ -1101,6 +1144,7 @@ in
                   `security.acme.certs.${cert}.webroot`,
                   `security.acme.certs.${cert}.listenHTTP` and
                   `security.acme.certs.${cert}.s3Bucket`
+                  `security.acme.certs.${cert}.tlsMode`
                   is required.
                   Current values: ${(lib.generators.toPretty { } exclusiveAttrs)}.
                 '';
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
@@ -15,8 +15,12 @@ let
     vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null
   ) vhostsConfigs;
   vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);
-  dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server
-  independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server
+  dependentCertNames = filter (
+    cert: certs.${cert}.dnsProvider == null && !certs.${cert}.tlsMode
+  ) vhostCertNames; # those that might depend on the HTTP server
+  independentCertNames = filter (
+    cert: certs.${cert}.dnsProvider != null || certs.${cert}.tlsMode
+  ) vhostCertNames; # those that don't depend on the HTTP server
   virtualHosts = mapAttrs (
     vhostName: vhostConfig:
     let
@@ -422,13 +426,14 @@ let
         redirectListen = filter (x: !x.ssl) defaultListen;
 
         # The acme-challenge location doesn't need to be added if we are not using any automated
-        # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge
+        # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 or TLS-ALPN challenge
         acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName;
         acmeLocation =
           optionalString
             (
               (vhost.enableACME || vhost.useACMEHost != null)
-              && config.security.acme.certs.${acmeName}.dnsProvider == null
+              && certs.${acmeName}.dnsProvider == null
+              && !certs.${acmeName}.tlsMode
             )
             # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
             # We use ^~ here, so that we don't check any regexes (which could
@@ -1632,7 +1637,11 @@ in
             # if acmeRoot is null inherit config.security.acme
             # Since config.security.acme.certs.<cert>.webroot's own default value
             # should take precedence set priority higher than mkOptionDefault
-            webroot = mkOverride (if hasRoot then 1000 else 2000) vhostConfig.acmeRoot;
+            webroot =
+              if certs.${vhostConfig.serverName}.tlsMode then
+                null
+              else
+                mkOverride (if hasRoot then 1000 else 2000) vhostConfig.acmeRoot;
             # Also nudge dnsProvider to null in case it is inherited
             dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;
             extraDomainNames = vhostConfig.serverAliases;
